'This is about pushing the standard forward and getting widespread adoption.'

Shawn Davenport, Github

Google also lets other companies use YubiKeys when logging into various Google business services, like Gmail and Google Docs. Dropbox does much the same with its file-sharing service. And this morning, the idea took another significant step toward mainstream acceptance when GitHub announced that it will accept YubiKey authentication on its popular code-collaboration service.

At first blush, that may sound odd. GitHub is best known as the Internet's primary hub for open source software, the place where people go to freely share code. But many businesses and coders also use GitHub as a means of storing and building private code. And in some cases, added security is important for open source code, too. Open source software now drives our world, and when a trusted coder makes an important change, we need to be sure that it's really the trusted coder.

Getting Past the Password

More specifically, GitHub says it will now handle what is called the FIDO Universal 2nd Factor, or U2F, specification. Google and Yubico, maker of the YubiKey, have shared the key's underlying technology with the world at large, and now, other companies can make similar keys. The aim is to make this kind of authentication as pervasive as possible.

GitHub's announcement is another step down the same path. The company's involvement is particularly noteworthy because it will also encourage a world of software coders to add U2F to their own applications. "We have a community of developers responsible for web services across the Internet," says Shawn Davenport, GitHub's head of security. "This is about pushing the standard forward and getting widespread adoption."

GitHub also offers two-factor authentication through SMS messages and smartphone apps like Google Authenticator, which generate a unique verification code every few seconds. But like others, the company believes that U2F is a better option. For one thing, if users lose a key, they can simply use another. With phone apps, the process is more complicated. "Authenticator is pretty clunky from a user perspective," says Davenport, who previously helped dovetail the app with GitHub. "We've seen many people shy away from it for that reason.

The drawback, at the moment, is that U2F only works with Google's Chrome web browser, and it doesn't work on phones. But Davenport hopes that GitHub's involvement will help change that. In conjunction with today's announcement at a GitHub conference in Silicon Valley, the company is handing out free YubiKeys. And it's partnering with Yubico to offer discounts on additional keys via the web. Act fast. Some keys also give you The Octocat.